Legacy privileged accounts make UK businesses vulnerable

25th Jan 2012

Osirium (https://osirium.com) a leader in Privileged User & Infrastructure Management has today released recent research findings which indicate that the administration required to close legacy privileged accounts is often over-looked when individuals move on or change roles within an organisation.

At a time when companies are under increased scrutiny to ensure that security procedures are followed, these findings might come as a shock to some. Equally as worrying is that the research also suggests that there are likely to be plenty of privileged user accounts that still exist which are not associated with active system administrators, let alone responsible ones.

“It seems obvious stating that if the wrong individuals get access to these credentials, they may use them for malicious purposes, but it seems that companies continue to be oblivious to these threats, or just hope that it won’t happen to them,” said David Guyatt, CEO at Osirium. “To make things worse, these credential details are often embedded in applications so they rarely get changed, even after they have unknowingly been compromised.”

“If you are trying to compromise an organisation’s IT system then you ideally need to have privileged access,” explains David Guyatt, CEO at Osirium. “knowing a user’s log-in details is a starting point, but they might not get you that far unless they’re credentials with privileged access. Privileged user accounts are so appealing to hackers because they have a much wider and more powerful range of controls than a normal network user – often far more than these individuals actually need.”

Osirium’s research showed that 58% of organisations did not have full control over the management of such accounts. 54% of respondents also admitted that accounts could be left active, even when a privileged user had left an organisation or changed roles to a position that no longer required privileged access.

“This is not just an issue with regard to external hackers,” said Bob Tarzey, Analyst and Director at Quocirca; the organisation that conducted the research for Osirium. “For example, the French Bank Société Générale lost €4.9 billion when a rogue trader was able to perpetrate and cover up a fraud for a couple of years because he still had access to a privileged user account which had not been disabled when he moved on. Many businesses lack systematic controls over privileged access and are unable to associate individuals acting under privilege with their actions; this is an unacceptable operational risk. It doesn’t need to be like this, default privileged user accounts, and those assigned to users who no longer need them, can be easily identified and closed if the business has the right tools in place.”

The ability to overcome this issue solves a critical security gap. These legacy accounts are typically hidden, unused and their original purpose is often unclear which means that disabling or removing associated actions can pose a significant security risk.

“Ensuring privileges are taken away from users that no longer require them can be controlled either by making the allocation of privileges an extension of standard identity and access management, or by granting all privileges on a “time-allocation” basis,” continued Guyatt. “Osirium uses a systematic approach and, along with task automation, greatly reduces the disruption and man-power needed to complete the task. Consequently the operational risks from legacy privileged accounts and the misuse of such credentials can be resolved once and for all.”